I'm trying to build a RPi4 system that uses a LUKS encrypted disk.
But I cannot get the volume to be unlocked when the system boots.
I have install Fedora-Minimal-34-1.2.aarch64.raw.xz to with arm-image-installer --target=rpi4 and that boots.
That I have added a new partition to that sdcard that I setup using this command from Fedora 34 x86_86 system.
cryptsetup \ --type luks2 \ --cipher xchacha20,aes-adiantum-plain64 \ --hash sha256 \ --iter-time 5000 \ --pbkdf argon2i \ luksFormat ${DEVICE}
I got these settings from a blog on setting up crypt for debian on raspberry pi.
I add an entry to /etc/crypttab for the volume.
When I boot the system I am not prompted for the password to unlock the volume as I was expecting.
Looking in journalctl -b 0 I see these lines:
Apr 06 01:01:36 clef.chelsea.private systemd[1]: dev-disk- by\x2duuid-8c2519ae\x2d78a9\x2d44b0\x2d871f\x2d0aa2422de03a.device: Job dev- disk-by\x2duuid-8c2519ae\x2d78a9\x2d44b0\x2d871f\x2d0aa2422de03a.device/start timed out. Apr 06 01:01:36 clef.chelsea.private systemd[1]: Timed out waiting for device /dev/disk/by-uuid/8c2519ae-78a9-44b0-871f-0aa2422de03a. Apr 06 01:01:36 clef.chelsea.private systemd[1]: Dependency failed for Cryptography Setup for clef-root. Apr 06 01:01:36 clef.chelsea.private systemd[1]: Dependency failed for Local Encrypted Volumes.
Once I log in I can open the volume and mount it
$ cryptsetup luksOpen /dev/mmcblk0p4 clef-root $ mount /dev/mapper/clef-root /mnt
I have tried updating the initrd with:
dracut --force.
And also adding to the kernel command line:
# cat /proc/cmdline BOOT_IMAGE=(hd0,msdos2)/vmlinuz-5.11.12-300.fc34.aarch64 root=UUID=67ca2085-9dab-405b-a042-ff6269816fbc ro rhgb quiet console=tty0 rd.luks.uuid=8c2519ae-78a9-44b0-871f-0aa2422de03a
I have a other systems that use full disk encryption that work. But I have failed to spot the difference between the RPi config and the working systems config.
Do you know what is missing or not configured?
Hmm, just noticed that the kernel command says console is tty0. But when I log in on the console its tty1.
Barry
Just not